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Abstract —We design polynomial time schemes for secnre mes¬ 
sage transmission over arbitrary networks, in the presence of 
an eavesdropper, and where each edge corresponds to an era¬ 
sure channel with public feedback. Our schemes are described 
through linear programming (LP) formulations, that explicitly 
select (possibly different) sets of paths for key-generation and 
message sending. Although our LPs are not always capacity- 
achieving, they outperform the best known alternatives in the 
literature, and extend to Incorporate several interesting scenaria. 

1. Introduction 

We consider the following setup. A source, Alice, is con¬ 
nected to a destination. Bob, over a packet network that can be 
represented as an arbitrary directed acyclic graph. Alice wants 
to send a message to Bob, securely from a passive eavesdropper. 
Eve, who wiretaps an unknown subset of k edges in the network. 
Each edge i that connects node u to node v corresponds to a 
packet erasure channel with probability 5a when eavesdropping 
this edge. Eve also receives the packet transmissions of node 
u with erasure probability SiE, independently from node v. 
Moreover, we assume that all legitimate nodes in the network, as 
well as Eve, causally learn whether v has successfully received 
the packets u transmits or not; however. Eve does not report 
which packets she successfully receives. 

We propose the first, as far as we know, linear programming 
(LP) formulation, that explicitly selects paths in the network to 
maximize the secure message transmission rate. It is well known 
that the (non-secure) capacity of a network can be described 
by an LP which allows a natural flow-based interpretation 
of network traffic. Our work leverages this formulation to 
implement secure message transmission through a two-phase 
construction. In the first key-creation phase, Alice establishes 
a secret key with Bob; in the second message-sending phase, 
she uses the established secret key to encode and securely send 
a message. Accordingly, our LP selects two sets of paths (that 
share the network resources): key-creation paths, that Alice will 
use to share random packets with Bob (so as to create a secret 
key), and message-sending paths, that Alice will use to send 
the encrypted message. We term this end-to-end encryption 
algorithm (Algo 1). We discuss several extensions of Algo 1, 
notably Algo 2, that apart from the end-to-end key, also creates 
and utilizes link-by-link keys for secure message transmission. 

The LPs we propose are not optimal, but are still we believe 
interesting. An example where the LPs are suboptimal is the 
triangle network, where the capacity was characterized in m . 


However, there are also a number of examples where the LPs 
do achieve the known capacity (such as the two-parallel edges 
network, and the line network); they outperform the best known 
alternative in the literature in all the cases that we have tested; 
and they enable new observations. For instance, over erasure 
networks, there are cases where the key-sharing and message¬ 
sending paths use different edges (while over lossless networks, 
using the same sets of paths is optimal). 

Another attractive attribute of the proposed LPs is their 
generality: the LPs take as input the erasure probabilities 6i 
and SiE at every channel edge i, that can be arbitrary. For 
instance, with — SiE = 0 we recover the lossless network 
case, and the LPs achieve the secure network coding rate (which 
is the optimal scheme for lossless channels). Moreover, similarly 
to the max-flow LP, our LPs can be extended to incorporate 
multiple sources, multiple receivers, edges with costs, etc. 

The paper is organized as follows. Section |II] briefly reviews 
related work; Section m introduces our notation; Section 
presents the algorithms; and Section |V] has evaluation results. 

IT Related Work 

Finding the highest achievable rate of secure communication 
of an arbitrary network setting is an open research problem. In 
the special case when the network consists of error-free, unit 
capacity channels, secure network coding is optimal la. For 
the same problem when the channels are not unit capacity (but 
still error-free) restricted complexity results suggest the hardness 
of calculating the secret message capacity 0, a. When the 
network edges are erasure channels all with the same parameters 
and channel state feedback, and the paths used for Alice to 
communicate with Bob are decided in advance, a secure commu¬ 
nication achievable scheme is proposed in 0. In contrast, this 
work provides schemes for arbitrary erasure channel parameters, 
and explicitly selects the best paths in the network so as to 
maximize the achievable rates. For a number of small networks 
(single channel, V-network, triangle network, line network) with 
erasures and state feedback, capacity characterization and a 
linear programming formulation were derived in 0, 0, 0, 
0, [?], 0. Our approach in this work is different: instead 
of schemes tailored to specific topologies, we design schemes 
that are general and extend to arbitrary network topologies. 
A preliminary version of LP formulations (a precursor of the 
algorithm we call Algo 1) for this problem was presented as an 
invited poster in a workshop [?]. 


III. System Model and Notation 


IV. End-to-End Encryption Algorithm 


A source s (Alice) wants to send a message W securely to a 
destination d (Bob), over a directed acyclic graph G = (V, £), 
where each edge g that connects node u to node v represents an 
orthogonal discrete memoryless broadcast erasure channel with 
two receivers; node v and potentially a passive eavesdropper 
(Eve). We denote by Xgi the input to channel g at time slot 
i = 1... n; and by Ygi and Zgi the corresponding outputs at 
node V and Eve respectively. We assume that Xgi is a length L 
vector over a finite field (in the paper we use the convention 
that L log(( 7 ) = 1). We use 0 as the symbol of an erasure. The 
broadcast channel is conditionally independent, namely 

n 

= \{V,{Yg,\Xgi\Vr{Zg,\Xg,}, 

2=1 


with Pt{y,.|A',.} = (' ■’»' 

[dg, Ygi=0, 

anti Pr{Z„|X,.) 

We assume that the source has unlimited private randomness, 
and that all other network nodes have no private randomness. We 
also assume public state feedback, that is, each legitimate node 
sends an ACK (or NACK) so that all other nodes (including 
Eve) learn whether the packet transmission was successful. We 
use the notation 5'*“^ for the state of all the channels before 
the transmission of the symbols. Also the notation lu and 
Ou for the set of the incoming and outgoing edges of node u. 

We require security in the strong information theoretical 
sense, defined next in the same way as in Q, m. We use Xai, 
for a set A, to denote the vector and X\ to denote 

the vector {Xai, Xa 2 , • ■ •, Xai). 

Definition. We say that Rsm is an achievable secret message 
rate if for any e > 0 and sufficiently large n the following 
conditions hold for some functions fgi^n{‘),WB,ni‘)- 
Eor u G [/ — {s} and for every gGOu- 

Xg^ = {fg.AYC\S^-^) (1) 

and for every g G Os'. Xgi = |/g,,„(lE, Uq, 5’*"^) (2) 

where Uq is the unlimited random source of Alice 
and where the message W is uniformly distributed over 
{1, 2,..., Bob is able to recover W with high 

probability, 

W = WBAYrj. (3) 

Pr{W ^W} <e. (4) 

Eve gains negligible useful information by observing VC£'. 

liW-ZyS"") <e,y V C£. (5) 

The supremum of all achievable secret message rates is the 
secret message capacity of the network denoted by Csm- 


Broad Approach: The algorithm selects two (possibly 
different) sets of paths, one set for key-creation and the other for 
message-sending. The source uses the first (key-creation) set of 
paths to send random packets to the destination; intermediate 
nodes forward the random packets they receive from their 
incoming edges to their outgoing edges using two techniques, 
ARQ and MDS expansion, as we will describe later in this 
section. The source and the destination create an end-to-end 
secret key, based on their shared random packets and an estimate 
of how many of these Eve has eavesdropped. The algorithm 
also selects a second set of paths, over which the source sends 
an information message to the destination, encrypted with the 
source-destination end-to-end key. Intermediate nodes simply 
forward the encrypted packets using ARQ. The goal of the 
program is to maximize the rate at which the message can be 
send securely to the destination, by optimizing over two things: 
1) what are the paths selected for key-creation and message¬ 
sending and 2) and how are the random packets forwarded by 
the intermediate nodes. 


A. Scheme Description and Algo 1 LP 

We start from the case where Eve observes any (one) edge of 
the network. All the LP variables express rate of packets, either 
message-packets, or random-packets. 

Key-creation constraints: The source generates uniform 
random packets, to be send to the destination. The interme¬ 
diate nodes collect the random packets they receive from all 
their incoming edges, partition them into subsets, and send a 
subset to each of their outgoing edges using two techniques. 
Automatic Repeat Request (ARQ) and Maximum-Distance- 
Seperable (MDS) code expansion. To capture this, for each 
edge (channel) g, that connects say vertex u to vertex v, the 
LP uses three variables Sg, kg and Vg. Node u sends kg packets 
to node v, by first multiplying these jackets with an MDS code 
of size —jA— X kn to create —jA— linear combinations, 

A — OgOgE y i- — OgO^E 

and then transmitting each linear combination exactly once (we 
discuss later why we expand with these parameters). Prom these 
packets, v receives a fraction kg . Moreover, u also sends 

to node v Vg packets using ARQ; v receives all these packets. 
Node V receives in total rate Sg random packets, with 


Sn = rgYk„ ^ 


A-5g5,E' 

If node u has incoming and Ou edges, we have that 


(6) 


^ Si = ^ (fcg +rg). (7) 

ieiu j&Ou 

This constraint requires that the random packets node u sends 
are equal to the random packets it receives; that is, intermediate 
network nodes do not discard or generate random packets. 

Message-sending constraints: The source encrypts the 
message using an end-to-end key (we will describe how later), 
and forwards it to the destination; each intermediate node uses 
ARQ to forward the encrypted message packets it receives. The 
LP uses a variable nig to capture the encrypted message packets 
that node u sends to node v through the edge g that connects 






them; note that to do so, node u makes transmissions. We 

l- 6 g 

require message flow conservation, i.e., 

ie/ii ieo„ 


Timesharing (edge capacity) constraints: Random and 
encrypted packets need to potentially share the network edges 
(channels); we thus require for every edge of the network that 


1 - ( 5 „ 1 - 5„5, 


g°gE 


I-5c 


< 1 . 


( 9 ) 


Security constraints: If Eve is located on edge g, she will 
overhear a fraction 

1 — 5gE 
1 5g6gE 

of the encrypted message flow rrig through that edge. A neces¬ 
sary condition for our scheme to be secure is that, this amount 
of message is smaller than the amount of random packets that 
Alice and Bob have and Eve does not, i.e., the secret common 
random packets (this condition is also sufficient for security 
as we discuss later on). Alice and Bob share 

random packets; thus if, from these packets. Eve 

has overhead say Eg (by observing the random packet flow 
through edge g), then the security constraint would be; 


1 — SgE 

T-g-. - 

1 - 5gdgE 


ME 


-E,. 




Conservatively estimating Eve’s knowledge Eg: Consider 
again edge g that connects vertex u to vertex v. A conservative 
way to estimate Eve’s knowledge, is to set 


E =r 


(1 - 5gE){l - 5g) 


1 - SgSgE 

That is, calculate the number of random packets that both node 
V and Eve receive. This estimate is conservative because we as¬ 
sume that all the randomness node v receives eventually reaches 
the destination (Bob), which is not necessarily true. Indeed, 
when nodes forward packets using the MDS expansion, we 
"lose" part of the randomness (from the kg random packets, node 
u only receives kg e )• 1 *^his approximation. 

Message encryption at the source: The LP identifies the 
rate R at which we can send an encrypted message, and the rates 
rrig of the message that flow through each edge. We encrypt the 
message using a one-time pad approach and a key of size R, 
that we create by multiplying the ^ Si packets that Bob receives 
with an i? X ^ Si MDS matrix. 


B. Discussion 

Why use MDS expansion at intermediate nodes: When the 
network consists of a single edge, the optimal key-generation 
scheme has Alice generate uniform at random packets and send 
these to Bob Q; this has the advantage that packets that Eve 
receives and Bob does not, give no information to Eve about the 
packets Bob receives. Using MDS at intermediate nodes mimics 
this effect more efficiently; the observation is that, if Alice sends 


Algo 1 LP with end-to-end encryption and Eg approximation 

Input: Set of erasure probabilities 5g and SgE 

Output: Secure message rate and achievability scheme parameters 


maxi?, s.t.; 

R = rrii 

Vu G V — {s, d} : 

J 2 mi= 

ieiu 

^ s, = ^ {kj + rj) 


ieig j&Og 

ygGS: 


„ _ „ I ^ ^ ^g 

^g ~ ' g ' '^g 


1 - SgSgE 


rrio 


1 > ' g '^g _ 

“ 1 - 1 - SoSoE 1 - M 


Too 


1 ~ SgE 
1 - SgSgE 


ME 


1-S 


Si - To 


gE 


- k, 


j&Io 

(1 - SgE)il - 5g) 


1 - SgSgE 


1 - SgSgE 


Vi; rrii, Si,ki,ri > 0. 


uniform at random packets, there exist some packets that neither 
Bob nor Eve receive; thus in a sense these packets do not serve 
any purpose. To avoid this, Alice can simply expand the k 
packets to packets. MDS combining has the property that 

Eve cannot learn anything about the packets that Bob receives, 
from the packets that only she (and not Bob) has collected. This 
observation and the corresponding proof were provided in i). 
The LP selects what fraction of the packets to send using MDS, 
and what fraction to send using ARQ, separately for each edge. 
ARQ has the advantage that it preserves all random packets, 
and the disadvantage that Eve learns more about the packets 
that Bob collects. 

Why ARQ for message sending: ARQ is a capacity achiev¬ 
ing strategy over erasure channels, as is also erasure coding. 
However, when we are interested in secure message sending, 
if we were to take the message, encrypt it with a one-time 
pad, and then use erasure correcting coding to transmit it to 
Bob, we would get a worse performance than if we send the 
encrypted message with ARQ. This is beacuse, with erasure 
coding, every packet Eve receives gives her new information 
about the information message; however, with ARQ, she may 
receive repeated packets, that bring her no new information. 

Exact calculation of Eg.- One method is similar to the 
standard path-LP formulation of the (non-secure) max flow 
LP, i.e., the LP that assigns rates to each of the paths that 
connect a source to a destination. To calculate Eg, we associate 
with each path p a random packet flow Sp that captures the 
delivered random packets through that path from Alice to Bob. 






















We can then calculate how many of the packets Bob receives 
are delivered through paths that include edge g, and remove the 
fraction that Eve overhears. This approach has a compact LP 
form and is illustrated in Algo 2. Although this formulation has 
exponential complexity, it is also possible to exactly calculate 
Eg in polynomial time (see Appendix). For this, we need to 
assume that network nodes do an additional operation; every 
node in the network uniformly at random mixes its incoming 
random packets before forwarding them towards Bob; we thus 
ensure that "all packets are treated equally". We then reduce the 
problem to calculating, what fraction of random packets that go 
through a given node, reach Bob. 

C. Analysis 

Why the scheme is secure: This follows directly by apply¬ 
ing Theorems 10 and 11 of 0 as well as Lemma 4 of El. For 
completeness we include a proof in the Appendix. 

Reduction to secure network coding: By setting Si = 
SiE = 1 for every edge of the network, the solution of the Algo 

1 LP gives the same result as secure network coding. Indeed, if 
we assume that the mincut equals h, selecting h edge-disjoint 
paths, and using h — 1 of them to end the encrypted message 
and one to send random packets for key generation, is a feasible 
solution. From 0 it is also an optimal solution for this network. 

Suboptimality: The achievability algorithm we presented 
is suboptimal, not only because it uses an estimate for Ei, but 
also because it only creates an end-to-end key; we know from 
the work in IT], that, to achieve the capacity in some cases, even 
when the intermediate nodes do not have private randomness, 
we need to create and explore common randomness they have 
by receiving the same source-generated random packets, leading 
to an exponential complexity problem 0, a. 

Optimality in some cases: In some cases where the secure 
message capacity is known, we can prove that Algo 1 (or Algo 

2 we describe later) are optimal. For illustration, we provide 
in the Appendix a proof that Algo 1 is optimal when Alice 
is connected to Bob through two parallel channels. Algo 2 
achieves the capacity of the line network, as again shown in 
the Appendix. 


Algo 2 LP with end-to-end and link-by-link encryption, and 

with Eg exact calculation 

Input: Set of erasure probabilities 6g and SgE 

Output: Secure message rate and achievability scheme parameters 


maxi?, s.t.: 

R = rrii 

i&Io 

Vu G V — {s, d} : 

^ ^ rrig 

^ Si > ^ (kj+Tg) 

iei^ jeo^ 

yg&£- 

Sn = r„ + k„ 


1 - SgSgE 


1 > 


-f 


Too 


1 - 1 - 6gSgE 1 “ 


V : rrii, Si, Sp,ki,ri > 0. 


Sg — ^ Sp 

peP:gep 

^-SgE ^ ^ - Sg) 

g^gE 


^9 

( 10 ) 

( 11 ) 




P^P'-o 


Algo 2 description: In this algorithm the message is 
encrypted both with an end-to-end key, and a link-by-link key 
(that is applied and peeled off at every edge). The source again 
selects two (possibly different) sets of paths, one set for random- 
packet-sending and the other for message-sending. An end- 
to-end key is created from these random packets. The source 
encrypts all the packets with this end-to-end key and transmits 
them appropriately through the message-sending paths. 


D. Extensions 

Given the framework of Algo 1, we can directly extend it 
in a number of cases, as is also the case for the max flow LP, 
albeit at additional complexity cost in some cases. For instance, 
we can extend it to address the following: 

1. Link-by-link key creation (see for example Algo 2). 

2. Multicasting to more than one receivers (following a similar 
approach to the network coding LP in 151. [?]). 

3. Eve wiretaps more than one edges (if Eve eavesdrops V 
edges. Eg would be the amount of random packets Eve has 
collected by eavesdropping on edge g plus V —1 arbitrary other 
edges. We provide such an LP in the Appendix for illustration.) 

4. Multiple sources not collocated transmitting messages to the 
same receiver (in this case, we can combine random packets 
across sources to create link by link keys; see Appendix). 

5. Having costs associated with edges (similarly to 0). 


Furthermore, node u (connected to node v through edge g) 
may also apply an additional link-by-link key, that node v will 
remove before further forwarding and potentially re-encrypting 
the message. Note that u may send to node v more random 
packets than what node v can forward to Bob, as these extra 
packets are still useful to create a larger link-by-link key for 
edge g. Algo 2 uses all the Sg random packets to create the 
link-by-link key. These packets can no longer contribute to the 
end-to-end key that will also protect the message nig through 
edge g, and need to be accounted for. 

Algo 2 exactly calculates how many of the Sg packets reach 
Bob, through a path flow-decomposition approach. We denote 
with P the set of all paths in the network that begin from the 
source, with P' all the Alice-Bob paths, and with P_g all Alice- 
Bob paths that do not utilize edge g. The LP assigns values to 
each message-path-flow Sp and of course it is. 











V. Evaluation 


Sg — ^ Sp. 

peP-.gGp 

For the calculation of the key for edge g: 

The link-by-link key is calculated as the random packets that 
pass through edge g and are not heard by Eve, 


(kg+Tg) 


Sgsi^ — Sg) 
1 - SgSgE 


The end-by-end key is calculated as the random packets that 
were transmitted to the destination without passing through edge 
5. 


""P- 

P&P-, 

Since we are protecting from an Eve at edge g, we are sure 
that all these packets are secure. 

Thus the security condition becomes. 


rUg 


1 ~ ^gE 

1 - SgSgE 


< {kg + Tg) 


SgEjl - Sg) 

1 - SgSgE 
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The LP can choose among many different path-flows for the 
messages in order to achieve the same Sg for all edges g. The 
optimal choice is the one that maximizes the secure message 
sending rate. 


We used numerical evaluations (through matlab) to solve the 
LPs over specific configurations where the capacity is known. 
We verified that; 

• Selecting paths helps. The optimal message-sending and key- 
creation sets of paths in several instances did not share all edges. 
Such an example is provided in Fig. |l(a)| 

• Generating keys using MDS helps. Fig. 2(a) shows the 
performance we get over a two-hop line network (Fig. 1(b) with 
N = 2), when; 1) we allow the FP in Algo 1 to only use ARQ 
for the random packets propagation to the destination, and 2) 
we use both ARQ and MDS for the same purpose. The benefits 
of using MDS in this case are clear. Note that over the line 
network secure network coding achieves zero rate. 

• Algo 1 is suboptimal, Fig. 2(c) compares the performance 
of Algo 1 with the capacity of the two-hop line network 0; 
when Eve only wiretaps the first channel, and the first channel is 
better than the second, the optimal strategy uses a link-by-link 
key; Algo 1 cannot do this. Algo 2, that can do so, achieves the 
capacity. 

• Using link-by-link keys can help. See previous point. 

• We achieve benefits over secure network coding. We compare 
Algo 1 against using channel coding followed by secure network 
coding. Fig. 2(b) considers a configuration where Alice is 
connected to Bob through multiple parallel channels; this is a 
"worse case" configuration in terms of expected benefits, as the 
main opportunity to create keys comes from the number of paths 
(and not erasures), that secure network coding also leverages. 
The constant benefits Algo 1 offers are exactly due to exploiting 
the erasures over the edge that Eve wiretaps. 
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(a) Message-sending and key-creation paths can be different: the (b) Line network with + 1 nodes, 

upper path is used only for message flow, the lower path is shared. 

We depict the optimal values Algo I has selected. 

Figure 1. Network configurations. 





(a) Two hop line network with 82 ^ = ^lE = (b) Multiple parallel channels with = 0-8, = (c) Two hop line network with 5 ie = 0.5, 82 ^ = 

= 0.2, 82 = 0.8. 0.6 for i odd, and (5iE = 0.9, (5i = 0.6 for i even. <52 = 0.6. 

Figure 2. Evaluation results through matlab. 


VI. Appendix 

We provide the following at the interested reviewer’s discre¬ 
tion; A) Optimality of Algo 1 for two parallel channels; B) 
Optimality of Algo 2 for line network; C) Calculation of Eg in 
polynomial time; D) Security of Algo 1; and E) Examples of 
extending the LPs. 

A. Optimality of Algo 1 for the two parallel channels network 
The outerbound in [?] for the two parallel channels is; 

maxM, s.t.; 

M = (1 - 5i)Mi + (1 - 52)M2 
1 > Cl + Ml 
1 > C2 + M2 

Ml 0 ~ - ^ 1 ) <c2{l-52) + C^{l- 5^)5 ie 

1 — OiOiE 

< Ci( 1 - (5i) + C 2 (l - 62)62 e . 

A feasible solution for the Algo 1 LP is ri = 0, r 2 = 0. 
In this case, making the correspondence rrii (1 — Si)Mi , 
ki/{l — SiSis) —>■ Ci for i = {1,2}, we can see that the two 
LPs are equivalent. Thus the end-to-end encryption algorithm 
achieves the capacity of the parallel channels network. 

B. Optimality of Algo 2 for line network 

The outerbound derived in Q for the line network is; 

max TO, 
s.t. yj G JV : 


1 — SjE 

1 ax ’™ 

1 - SjSjE 

< 

kj 

kj TO 

< 

1 

(1 — Sj)SjE 1 — Sj 

kj 

< 

SjEil - Sj) 

dj + TO 

< 

1 - Sj 

dj 

< 

J > 1 


In this case there is only one path and Algo 2 becomes 
equivalent to the outerbound of the line network, and thus 
achieves the capacity of the line network. 


C. Exact calculation of Eg 

The LP in Algo 3 achieves a polynomial time calculation 
of Eg. As we mentioned in the paper, to do so, we need to 
assume that network nodes do an additional operation; every 
node in the network uniformly at random mixes its incoming 
random packets before forwarding them towards Bob; we thus 
ensure that "all packets are treated equally". We then reduce 
the problem to calculating, what fraction of random packets 
that go through a given node, reach Bob. Note that Alice needs 
to know the linear combinations of the random packets to be 
able to reproduce them when establishing the secret key with 
Bob. 

Consider a directed acyclic graph, where there is an implicit 
partial ordering of edges. We say that edge g < j if there exists 
a directed path that connects edge g to j. The basic idea in the 
LP is to keep track of what amount, of the random packets Sg 
at edge g, are part to the random packets in sj, with g < j. 



























Algo 3 Same as Algo 1 but with exact Ei calculation in 
polynomial time. 

Input: Set of erasure probabilities 5i and SiE- 

Output: Secure message rate and achiev. scheme parameters 

maxi?, s.t.: 

R = rrii 

'iueV-{s,d} : (12) 

^ ^ rrij 


iei'u jeO^ 

ie/ii ieO„ 

1-^0 


'^gg 


1 > 


1 - 5g5gE 


is the virtual flow in these packets that has also passed through 
g. We require in the LP that 

B <A. 

Because intermediate nodes form and propagate linear combi¬ 
nations of packets, we can let the LP assign (consistently with 
the constraints) virtual flow values that maximize the secure 
message rate. We calculate the part of Sg that Bob received as 
^gj- Note that the last equation (that includes the min) 
can be easily written in linear form. 

D. Security for Algo 1 

As mentioned earlier, security follows directly by applying 
Theorems 10 and 11 of a as well as Lemma 4 of a. For 
completeness we include here a proof; this does not use the 
above but follows the proof approach in a- 
We denote by. 
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The Cg are (with high probability) the number of secure 
packets that Bob has received after N time slots, given that: 
1. All the packets that passed through edge g actually reached 
Bob (conservative assumption), 2. Edge g was the one that 
was eavesdropped. This concentration result is proved, using 
the Chemoff-Hoeffding bound, as follows, 

PrllCg - Cg\ > N^/'^\Ge =g} = exp f) = o{N), 


TOj,Sij, > 0, Vi,j. 


In the LP, the variables Sgj are used to denote random packets 
that have passed through edge g and also through edge j, with 
g < j. For consistency of notation, we use Sgg instead of Sg. 

We think of the Sgj as "virtual flows", similarly to the 
approach in [?]. Thus, we require that 

VgJ G f,with g < j, Sgj < Sjj 
Consider now a node u. The quantity 


^ = X bj - X 


Sj-i 


captures how many of the random packets that are incoming to 
node u, reach the "next hop" nodes towards Bob. The quantity 


^ = X " X 

iGO„ 


where Cg is the random variable of the number of secure 
packets that Bob has received after N time slots. Also, we use 
the random variable Ge to denote the edge that is eavesdropped. 

It is, 

I{w-, Z^S’^) = I{W;Wi), 

where with Wj we denote the packets that are heard by Eve 
and / is the set of indices of these overheard columns. We know 
that, 

HiWi\\I\ = i,GE = g)<i. 

Eurthermore, from the MDS property of the A matrix, we 
have. 


H{Wi\W,\I\=t,GE = g) = H{QA\W,\I\ = i,GE = g) 

> min {z,Cg} 
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(i - min {i,Cg})) 

We need a concentration result for |/| by using the erasure 
channel probabilities. By inspecting the ARQ scheme, the 
probability that a given encrypted message pakcet is received 
correctly by Eve is, 

P = 0 — SgE) + SgSgEO ~ ^Qe) + ’ ’ ’ = ^ ■ 

1 - OgOgE 

Then, |/| can be seen as a sum of rUgN independent random 
variables on {0,1} drawn from a Bernoulli Ber{p) distribution. 
So, we have that. 


Algo 4 Eve observing multiple edges 

Input: Set of erasure probabilities Si and SiE, number of 
eavesdropped edges V. 

Output: Secure message rate and achievability scheme parameters 
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And, from the Chernoff-Hoeffding bound, 

Pr{|i| > Cg|Gi 5 =g} = Pr{|/| > bg + {cg - bg)} < exp 
Thus, 
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rrii, Si, ki, Vi > 0, Vz. 


N 
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which goes to zero as N grows. 

E. Extensions of LPs 

We here provide LPs that extend Algo 1 & Algo 2, as 
discussed in Section HV-DI 

1) Algo 4: Eve observing multiple edges: Algo 4 presents a 
case where Eve observes multiple (V) edges; what changes in 
this case is that, Ei needs to account for all packets that Eve 
(and Bob) may have received, when Eve wiretaps edge i and 
any other V — 1 edges. Algo 4 is a variation of Algo 1; note 
that its complexity increases exponentially with the number of 
wiretapped edges V. 

In particular, we follow the conservative assumption that all 
the eavesdropped packets reach Bob, and they are all different 
to each other (which may not be since the same packet may be 
heard again by Eve in a different edge). Thus, in the security 
constraint of the LP we subtract from the total number of Alice- 
Bob shared packets, the number of packets that were heard by 
Eve in all the channels she overhears. 
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The notation Ge ^ denotes that Ge is a subset of S with 

y 

cardinality V. 

2) Algo 5: Multiple sources: Algorithm Algo 5 presents the 
extension of Algo 2 in the case where there are L sources, and 
each has a different message to send to a common destination. 
At a first glance, it might seem that the best we could do would 
simply be time-sharing between L different secure message 
transmissions (from the L sources to the receiver). However, 
during the key-creation phase, we can exploit random packets 
originating from a given source, say source one, to create link- 
by-link keys that will be used to better protect a message send 
by say a source two. In particular, we can pull together the 
randomness generated by all sources to create a "universal" link- 
by-link key that protects all messages through that link. 

We denote by mu the message rate at edge i of the packets 
of source 1. We use the notation su, ru, ku. We impose a time 
sharing (capacity) constraints at each edge, for the sum of the 
packets that flow in that edge: 
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Algo 5 LP with multiple sources located on different nodes the security constraint, wig takes the place of the link-by-link 

Input: Set of erasure probabilities 5i and 5iE- key in edge g for the message of transmitter I, 

Output: Secure message rate and achievability scheme parameters 
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Each source functions independently, sending random packets, 
creating the end-to-end key and encrypting its message with it. 
This key is shared only between the specific sender and Bob. 
Thus we cannot use it to encrypt end-to-end the messages of 
the other sources. However, all the random packets (from all 
sources) that flow through an edge can be used to create one 
universal link-by-link key. This key can be used to encrypt all 
the packets (with link-by-link encryption), since the key will be 
pealed of in the next node. Thus the size of the key is. 
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We denote with wig the amount will used in for the link-by-link 
encryption of the message of transmitter 1. Of course, the total 
amount of these parts cannot be bigger that the amount of the 
universal key we created. 
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